 |
|
 |
|
|
Redspin Security Management Advisory
|
 Back To Redspin Security Management Advisory Headlines
|
 |
Volume 16 | October 2009 |
 |
The Analyst View
Several analysts including Forrester Research and Gartner say server virtualization projects will again be among the top IT projects as measured by increase in spending from 2009 to 2010. According to client surveys, server virtualization ranks right behind security as the top projects for 2010. In terms of overall priority, these projects ranked right behind security, which remained the number one, IT priority.
|
|
Implications
Presumably, this means that many of you have deployed or are in the midst of considering a server virtualization project. Redspin's Security Management Advisory looks at some of the issues and as you might expect recommends that an information security assessment may be the keystone to make sure your program is working predictably and according to plan, both from a business and technical perspective.
The Virtual Landscape
With such a strong tailwind from the analyst and vendor community, the financial justifications for virtualized environments are often taken for granted. Many others have covered that ground; so we will leave you with the existing analyses for financial justifications of capital equipment savings. What require a bit more examination are the policies, procedures and practices for getting the highest rate of return from the deployed virtualized environment. The nature of virtualization can lead to a high rate of server sprawl. The options for management procedures are also numerous. Additionally, the goal of creating a high ratio of virtual machines to physical boxes leads to a lack of visibility that can confound IT personnel. The normal troubleshooting techniques of deploying sniffers on SPAN ports are no longer possible. Similarly, traditional monitoring approaches are also difficult or impossible.
As a result, to get the most out of your virtualized deployment we recommend a close examination of the policies that will govern the IT environment. The goal is to create a degree of rigor with respect to management policy such that the IT and security teams can keep pace with the capabilities of your environment.
A Look at a Few Issues
Within virtualized environments a number of management mechanisms exist to control resources and manage this environment. Some of the potential possibilities are illustrated in Figure 1.
Figure 1. Control Possibilities Within a Virtualized Environment
Let's just call out a few possibilities for taking action within the virtualized environment:
- Through SSH (Secure Shell) access
- Copy virtual machine
- Change network configuration
- Through Web Access
- Through VMWare Virtual Infrastructure Client
- Start, Stop, Snapshot VMs (Virtual Machines)
- Allocate Resources
- Move Virtual Machines
A number of security issues arise:
- Are these actions logged consistently?
- Are all of the users properly authorized to perform these actions?
- Is there sufficient visibility to track and identify problems?
- Have the results of the actions been tested?
The Bottom Line
The bottom line is that virtualized environments have already demonstrated major economic benefits. One key consideration to realize these benefits you need to keep security in mind. A broken system or compromised system has no economic benefit. Therefore, we encourage you to consider an information security assessment. Make sure your policies are solid and your team has the structure and guidance to get the most out of your virtual environment, both from the point of view of performance and predictability.
|
|
|
 |
